A. Juels

Note: A detail omitted from this (short) PerSec version of the paper appears to have led in some follow-up work to a misunderstanding of the "Minimalist MAC" yoking proof depicted in Figure 2. The values rA and rB are one-time secrets that may be initialized in tags simultaneously with the secret keys for the MACs. Thus we presume that rA and rB are shared between tags and the verifier. That is, the verifier may check their correctness on verifying PAB.

Abstract: In some cases, it is useful to prove that a pair of
RFID tags has been scanned simultaneously. A pharmacy might want to be
able to prove, for instance, that it dispensed an RFID-tagged prescription
bottle along with a required RFID-tagged booklet containing indications.
An aircraft-parts manufacturer might wish to prove, using RFID, that its
goods leave the warehouse with safety caps attached.

RSA Laboratories scientists have developed a technique known as a "yoking
proof." A pair of tags can construct such a proof in order to help
demonstrate that they have been scanned simultaneously. The proof is designed
to be unforgeable even when tags are scanned by malicious reading devices.